Neil Kandalgaonkar wrote:
What are the security problems with a simple AJAX login implementation that just POSTs, compared to digest authentication?
With digest authentication you can transmit credentials over unencrypted HTTP without worrying that someone is capturing your plaintext password, say in a log file, and can log in as you later.
The use of a digest authentication is unrelated to usig AJAX or not. However, since you need a request between having the user and sending the password (to ask the db salt for that user), the interface would be odd without AJAX (and you need javascript anyway). Remember that you still need to add another salt to avoid having the hash being plaintext equivalent.